On Mon, 17 Dec 2012, John Miller wrote:
On 12/17/2012 05:02 PM, David Lang wrote:
My guess is that something is interrupting the TCP connection and logs
then stop (possibly a firewall or NAT timeout), logs are then buffered
until something gets restarted and they start flowing again.
Right you were! Tested this out by commenting out the @@loghost.brandeis.edu
entry, and things worked locally. I'd prefer to send syslog messages via
UDP, anyhow.
change it to @loghost.brandeis.edu and it will send UDP
David Lang
I'll play around with this some more in the morning. Pretty clear that I
need to read up a bit on syslog overall. Thanks for steering me in the right
direction.
John
However, I don't see anything in your config that would spool to disk,
so it would have to be a HUP refresh on the sender, or a full restart on
the reciever that would get logs flowing again (a full stop on the
sender would throw away the logs that it has buffered)
Ryslog always buffers logs, but usually only does so for a very short
time. The internal structure of rsyslog is that it has one or more
threads recieving new messages and adding them to a queue (by default
in-memory), and one or more threads pulling messages out of the queue
and delivering them (either directly, ot to a secondary queue with yet
another thread pulling from that queue for delivery)
I notice that you have rsyslog set for TCP relaying of messages, you
need to be aware that if rsyslog is unable to deliver messages for long
enough that it's internal buffering fills up, it will stop accepting new
messages, and this will cause systems trying to log to syslog to stop.
Rsyslog has config options to let you tell it to throw away logs if it
gets too full, or to spill logs out to disk, but you don't appear to
have any of these options configured.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
